从外部源向 Keycloak 身份验证添加其他角色

【问题标题】:Add additional role to Keycloak authentication from outer source从外部源向 Keycloak 身份验证添加其他角色
【发布时间】:2020-09-28 13:01:34
【问题描述】:

我想通过 Keycloak 对用户进行身份验证,但我需要向 Spring Security 使用的 Authentication 对象添加额外的角色。添加角色保存在 Postgres 数据库中。

  1. 我尝试使用自定义 AuthenticationProvider 覆盖 configureGlobal,但没有成功。 

    @Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    ApplicationAuthenticationProvider provider = new ApplicationAuthenticationProvider();
    provider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper());
    auth.authenticationProvider(provider);
}

    @组件 公共类 ApplicationAuthenticationProvider 扩展 KeycloakAuthenticationProvider {

    @Autowired
private UserService userService;

private GrantedAuthoritiesMapper grantedAuthoritiesMapper;

public void setGrantedAuthoritiesMapper(GrantedAuthoritiesMapper grantedAuthoritiesMapper) {
    this.grantedAuthoritiesMapper = grantedAuthoritiesMapper;
}

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    KeycloakAuthenticationToken token = (KeycloakAuthenticationToken) authentication;
    List<GrantedAuthority> grantedAuthorities = new ArrayList<>();

    String username = ((KeycloakAuthenticationToken) authentication)
            .getAccount().getKeycloakSecurityContext().getToken().getPreferredUsername();
    List<Role> roles = userService.findRoles(username);

    for (Role role : roles) {
        grantedAuthorities.add(new KeycloakRole(role.toString()));
    }
    return new KeycloakAuthenticationToken(token.getAccount(), token.isInteractive(), mapAuthorities(grantedAuthorities));
}

@Override
public boolean supports(Class<?> authentication) {
    return authentication.equals(UsernamePasswordAuthenticationToken.class);
}

private Collection<? extends GrantedAuthority> mapAuthorities(
        Collection<? extends GrantedAuthority> authorities) {
    return grantedAuthoritiesMapper != null
            ? grantedAuthoritiesMapper.mapAuthorities(authorities)
            : authorities;
}

    }

  2. 尝试添加额外的过滤器,但我不确定配置是否正确。

    @豆

    @Override
protected KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessingFilter() throws Exception {
    RequestMatcher requestMatcher =
            new OrRequestMatcher(
                    new AntPathRequestMatcher("/api/login"),
                    new QueryParamPresenceRequestMatcher(OAuth2Constants.ACCESS_TOKEN),
                    // We're providing our own authorization header matcher
                    new IgnoreKeycloakProcessingFilterRequestMatcher()
            );
    return new KeycloakAuthenticationProcessingFilter(authenticationManagerBean(), requestMatcher);
}

// Matches request with Authorization header which value doesn't start with "Basic " prefix
private class IgnoreKeycloakProcessingFilterRequestMatcher implements RequestMatcher {
    IgnoreKeycloakProcessingFilterRequestMatcher() {
    }

public boolean matches(HttpServletRequest request) {
    String authorizationHeaderValue = request.getHeader("Authorization");
    return authorizationHeaderValue != null && !authorizationHeaderValue.startsWith("Basic ");
}

    }

【问题讨论】:

  • 你是怎么解决的?

标签: spring-boot authentication spring-security keycloak openid-connect


【解决方案1】:

现在我只将 Keycloak 用于登录名/密码。角色和权限现在保存在本地数据库中。

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 2016-09-23
    • 2016-06-14
    • 2017-12-15
    • 2019-03-10
    • 1970-01-01
    • 2012-01-13
    • 2015-05-31
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode